PT-2025-34197 · Mattermost · Mattermost
Hackit_Bharat
·
Published
2025-08-21
·
Updated
2025-08-29
·
CVE-2025-53971
CVSS v3.1
3.8
Low
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Mattermost versions 10.5.x through 10.5.8
Mattermost versions 9.11.x through 9.11.17
Description:
Mattermost fails to properly validate authorization for team scheme role modifications. This allows Team Admins to demote Team Members to Guests via the PUT
/api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. The vulnerable parameter is user-id.Recommendations:
Mattermost versions 10.5.x through 10.5.8: Apply appropriate authorization checks to the
/api/v4/teams/team-id/members/user-id/schemeRoles API endpoint to prevent unauthorized role modifications.
Mattermost versions 9.11.x through 9.11.17: Apply appropriate authorization checks to the /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint to prevent unauthorized role modifications.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mattermost